4-6.3 Roles and Responsibilities

 

Roles

Responsibilities

ISSO and development team

Request code review (if applicable); conduct security testing; document security testing; request vulnerability scans; request penetration test (if applicable) request independent reviews (if applicable); conduct risk assessment; and develop a risk mitigation plan addressing high and medium risks and recommending whether the risks should be accepted, transferred, or further mitigated.

ISSO

Evaluates C&A documentation, prepares an C&A evaluation report that details the findings, makes the decision to escalate security concerns to the executive sponsor and Business Relationship Management portfolio manager or signs the C&A evaluation report and forwards the report to the certifier.

Certifier (manager C&A process)

Reviews the C&A evaluation report and C&A documentation package, makes the decision to escalate security concerns to the executive sponsor and Business Relationship Management portfolio manager or certifies the information resource by preparing and signing a certification letter, and forwards the certification letter and C&A evaluation report to the accreditor.

Business Relationship portfolio manager

Provides personnel for correcting deficiencies.

Accreditor (manager, CISO)

Analyzes C&A evaluation report, certification letter, and business documentation, makes the decision to

  1. Escalates security concerns to the VP IT and the VP functional business area and indicates the C&A Phase to return to for rework, or
  2. Prepares and signs a Full Accreditation Letter, and forwards the Full Accreditation Letter to the VP IT and the VP functional business area, or
  3. Prepares and signs a Conditional Accreditation Letter with some requirements that need to be met within a certain time frame and forwards the Conditional Accreditation Letter to the VP IT and the VP functional business area. If the requirements are not met in the indicated time frame, the accreditor will issue a Failure To Comply Letter to the VP IT and the VP functional business area.

Chief Privacy Officer and Accreditor

Acknowledge any unmitigated medium or high residual risks associated with the information resource

Executive sponsor

Ensures completion of C&A process and provides personnel and financial resources for correcting deficiencies.

ISSR

Supports executive sponsor and Business Relationship Management portfolio manager as requested to correct deficiencies.

Other stakeholders

Participate by responding on outstanding issues or providing advisory support.

Note: If the projected delivery dates of the security code review (if applicable), ST&E testing and report, vulnerability scans, penetration test, independent reviews (if applicable), risk assessment, or risk mitigation plan, the POA&M must be amended and the ISSO notified of the changes.